Re: Configuring Inter-VDOM routing over IPsec
I seem to keep writing the same response again and again in the forum as you can find in search. Any IPsec related problem, if something is not directly connected at the termination point of IPSec, comes down to one of three components:
1) phase2 selector sets need to include the all traffic passing through. Your case, all 172.x.255.0/24 combinations. Easiest way is to change it back to the default 0/0<->0/0, which include every combinations.
2) routing THROUGH the tunnel for all subnets for BOTH directions. Make sure you see all subnets for all /24 at both pub pub-vdoms, half into the tunnel interface, and half to local interface/vdom-link. [get router info routing-t all]
3) policies at each section(vdom) allows the traffic for both directions.
Then most importantly, you need to know how to debug it if it doesn't work as you intend. Mainly two or three skill you need to learn:
0) check routing-table (get router info routing-t all)
2) sniffing packets at interfaces if the traffic is coming/going through the interface (diag sniffer packet <interface_name> '<expressions_for_filtering>' <output_format>. You can find examples/syntax on the internet. Just remember you have to disable asic offloading at the policies in case it's involved for VPN encryption for those pub-vdoms.
3) "flow debug" to find out WHY those packets are dropped or not going into the tunnel although sniffing shows it's getting into pub-vdom. You can search example/how to on the internet or this forum.